WO2008080637A1 - Method and apparatus for determining an authentication procedure - Google Patents

Method and apparatus for determining an authentication procedure Download PDF

Info

Publication number
WO2008080637A1
WO2008080637A1 PCT/EP2007/050097 EP2007050097W WO2008080637A1 WO 2008080637 A1 WO2008080637 A1 WO 2008080637A1 EP 2007050097 W EP2007050097 W EP 2007050097W WO 2008080637 A1 WO2008080637 A1 WO 2008080637A1
Authority
WO
WIPO (PCT)
Prior art keywords
domain
visited
authentication
client
home
Prior art date
Application number
PCT/EP2007/050097
Other languages
French (fr)
Inventor
John Michael Walker
Mats NÄSLUND
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to EP07703657A priority Critical patent/EP2103077B1/en
Priority to CN2007800492254A priority patent/CN101573998B/en
Priority to AT07703657T priority patent/ATE501583T1/en
Priority to ES07703657T priority patent/ES2362444T3/en
Priority to DE602007013101T priority patent/DE602007013101D1/en
Priority to US12/521,717 priority patent/US8332912B2/en
Priority to PCT/EP2007/050097 priority patent/WO2008080637A1/en
Publication of WO2008080637A1 publication Critical patent/WO2008080637A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies

Definitions

  • the present invention relates to a method and apparatus for determining an authentication procedure to be applied to a client accessing or attempting to access services via a visited domain whilst having a service agreement with a home domain.
  • a key component of this model is a mechanism for allowing a visited domain to authenticate a user as a subscriber of the home domain.
  • the visited domain needs assistance from the home domain to implement this mechanism.
  • the typical approach is to provide within the home domain an "authentication server” which maintains long-term authentication credentials for a user and is the "root of trust” for the user.
  • An “authenticator” is provided within the visited domain and performs the actual authentication by communication with the authentication server and the user (or "client”).
  • 3GPP TS 33.102 describes a security architecture for the Universal Mobile Telecommunications Service (UMTS) networks which is, as far as possible, compatible with the pre-existing GSM networks.
  • UMTS Universal Mobile Telecommunications Service
  • TS 33.102 considers in particular the Authentication and Key Agreement (AKA) security protocol which is a mechanism for performing authentication and session key distribution.
  • AKA is a challenge-response based mechanism that uses symmetric cryptography.
  • AKA is typically run in a UMTS Subscriber Identity Module (USIM) which resides on a smart card like device.
  • the smart card possesses a secret K which is also known to an Authentication Centre (AuC) located within the user's home domain.
  • AuC Authentication Centre
  • the AKA mechanism is run between the client terminal and the visited domain, involving the home domain as a "back-end".
  • This process involves the visited domain being provided, by the home network, with an authentication vector comprising a challenge and an expected result.
  • the challenge is forwarded by the visited domain to the client terminal, which generates a challenge response (within the USIM) and returns this to the visited domain. If the challenge response matches the expected result, the visited domain authorises the client terminal to use its access services.
  • AKA also allows the client terminal to verify that its home domain has indeed been involved in the signalling process, which in turn allows the terminal to authenticate the visited domain.
  • the AKA authentication vector is good for only one access attempt by the client. If the client terminal subsequently deregisters from the visited domain (e.g. the terminal is powered down), a new authentication vector is required for any further registration.
  • TS 33.102 allows for the home domain to provide to the visited domain a set of authentication vectors at first registration, enabling the visited domain to perform multiple authentications for a given client terminal without having to contact the home domain for each individual registration.
  • Authentication in 2G networks is handled using a challenge and response approach similar to AKA.
  • a terminal transferring to a 2G access from a 3 G access (where both accesses belong to the same operator), a user can be implicitly authenticated/authorised in the new access by reuse of the previously used session keys.
  • delegating responsibility for authentication to the visited network may not always be satisfactory for the home domain, as the home domain must "blindly" trust that the visited domain is not making a false claim about the client's presence in the visited domain, or that the client is receiving the paid for services, etc. Whilst this trust model has worked well for established network operators, it may not apply to future network configurations as will be discussed below.
  • AAA Authentication, Authorization, and Accounting
  • the currently implemented protocols include RADIUS and DIAMETER.
  • a typical Internet scenario might involve a user attempting to use a WLAN hotspot (located for example in an Internet cafe or airport terminal) as an access network, when the user is a subscriber of an Internet Service Provider (ISP) broadband network.
  • ISP Internet Service Provider
  • authentication is done in the home domain, i.e. the authenticator and authentication server are both in the home domain. While this may be satisfactory to the home domain, it leads to sub-optimal performance due to the signalling overhead and impairs smooth hand-over/mobility within the visited domain.
  • a wireless terminal may communicate with a AAA client/authenticator within the access domain, with the AAA client communicating with a AAA server in the home domain.
  • End-to-end authentication signalling may be conveyed using the Extensible Authentication Protocol (EAP) which is an authentication framework rather than an actual authentication method.
  • EAP Extensible Authentication Protocol
  • One of the roles of EAP is to implement an authentication method beween endpoints.
  • the EAP-AKA method is one example of such an authentication method.
  • AKA data will be contained within EAP messages which are in turn contained within DIAMETER messages (for the AAA client to AAA server leg).
  • UMTS AKA as described above is a 3GPP-specific protocol which does not use AAA and EAP frameworks and should not be confused with EAP-AKA, although of course the actual AKA mechanism is common to both.
  • FIG. 1 This current protocol "architecture" is illustrated in Figure 1 , where the wireless access network is a 802.11 (WLAN) network and the AKA endpoint is in the home domain.
  • the AAA client/authenticator within the wireless network understands the EAP signalling, and converts EAP in the AAA signalling to EAP over LAN.
  • the AAA client/authenticator is transparent to AKA.
  • one or more AAA proxies may be present between the visited and home networks.
  • Communication standards are evolving to provide for the integration of different heterogeneous access domains into one single logical network. This will result in 3GPP -based access domains (e.g. GPRS, UMTS, LTE) and non-3GPP based access domains (e.g.
  • a home domain will likely ustilise AAA (e.g. DIAMETER) and EAP, and multiple EAP-methods (such as EAP AKA, EAP SIM, EAP TLS, etc) to communicate with the different access domains and terminals. It is however inevitable that a given home domain will place different levels of trust on different access domains. For example, a high level of trust might be placed on a 3 G access domain, whilst a very low level of trust may be placed on an Internet cafe WLAN.
  • a server for managing the authentication of clients that are subscribers of a home domain within which the server is located, the server comprising means for determining whether a client that is attached to a visited domain is to be authenticated by the home domain or by said visited domain, and for signalling the result to said visited domain.
  • Embodiments of the present invention introduce a dynamic flexibility into the authentication process. It is now possible for the home domain to determine where the authentication is to take place based upon static properties such as client subscription, and on changing properties such as visited network identity. This results in a service architecture which optimises signalling routes when appropriate whilst maintaining financial security.
  • the server may comprise a memory for storing authentication data for said clients.
  • the server is arranged, in the event that it determines that the visited network is to be responsible for authentication, to generate session data and to send this to said visited network.
  • this data may comprise an authentication vector.
  • the server comprises an interface for communicating with visited domains, first processing means for receiving via said interface a registration request sent by a visited domain in respect of one of said clients, and second processing means for determining whether the request is to be authenticated by the home domain or by the visited domain.
  • the second processing means is arranged, in the former case, to authenticate the request and signal the result to the visited domain via said interface, and, in the latter case, to signal to the visited domain via said interface that the visited domain is to be responsible for authenticating the request.
  • Said first processing means may be further arranged to receive via said interface a request from a visited network to transfer the authentication decision from one domain to another, in the case of a previously authenticated client.
  • Said second processing means is arranged to make a further determination and to notify the visited network accordingly.
  • the server may comprise means for determining that a previous decision to delegate an authentication procedure to the visited domain is to be revoked, and for signalling that decision to the visited domain.
  • the authentication procedure which may be delegated to the visited domain may be a second level procedure.
  • a first level procedure may be carried out by the home domain based, for example, upon terminal and/or user identity, prior to conducting the second level procedure at the home domain or, if delegated, at the visited domain.
  • a method of authenticating a client attached to a visited domain where the client is a subscriber of a home domain, the method comprising: sending an authentication request from the visited domain to the home domain in respect of said client; in the home domain, determining whether the client is to be authenticated by the home domain or by said visited domain; in the event that the client is to be authenticated by the home domain, carrying out said authentication in the home domain and signalling the result to the visited domain; and in the event that the client is to be authenticated by the visited domain, sending authentication data from the home domain to the visited domain, and using said data in the visited domain to authenticate the client.
  • said authentication request may be a DIAMETER Request.
  • this is signalled to the visited domain by sending a NACK.
  • the result of the authentication is subsequently signalled to the visited domain by sending an ACCEPT/REJECT message.
  • Authentication involves the exchange of a challenge and response between the home domain and the client.
  • this is signalled to the visited domain by sending an ACK message, together with authentication data.
  • a challenge and response exchange is conducted between the client and the visited domain.
  • Figure 1 illustrates various protocol layers involved in an authentication procedure for a wireless terminal attached to a visited network
  • Figure 2 illustrates schematically a communications system architecture comprising visited and home domains
  • Figures 3a and 3b are flow diagrams illustrating authentication decision processes carried out with an authentication server of a home domain
  • Figure 4 shows authentication related signalling for the case where a home domain takes the decision not to delegate responsibility for authentication to a visited domain
  • Figure 5 shows signalling associated with the case where a home domain decides to delegate responsibility for authentication to a visited domain for a limited period or number of tries
  • Figure 6 shows signalling associated with the delegation of authentication responsibility to a visited domain, with a subsequent decision to revoke that permission
  • Figure 7 is a signalling chart illustrating a case where a visited domain elects to request a transfer of authentication responsibility back to a home domain;
  • Figure 8 is a signalling chart illustrating a case where a visited domain elects to request a transfer of authentication responsibility to it, from the home domain;
  • Figure 9 illustrates a signalling flow in the case where a client is attached to a future
  • LTE Long Term Evolution
  • FIG. 2 a generic visited domain/home domain architecture which allows for roaming of subscribers (referred to below as "clients") of the home domain into the visited domain.
  • An authentication server 1 is located within the home domain 2 and maintains long-term authentication credentials of the home domain's clients. The authentication server may also act as authenticator for clients seeking to register with visited domains including the illustrated domain 3.
  • a separate authenticator 4 is located within the visited domain 3.
  • Figure 2 illustrates a client 5 attached to the visited domain 3.
  • the authentication server 1 receives access requests from a visited domain via an interface 6, whereupon processing means 7 within the authentication server makes decisions as to whether authentications are to be performed within the home domain or can be delegated to the visited domain.
  • the server may also determine that authentications are shared between the home and visited domains. For example, it may determine that only the first authentication is to be performed by the home domain and subsequent authentications are delegated to the visited domain, or that only every tenth authentication is to be performed by the home domain, etc. The server makes these decisions based upon certain available information.
  • This information may include, for example, one or more of the following; visited operator identity, access network type, user-id, type of network security being used in the access network of the visited domain, type of user authentication being carried out, selected Access Point Name (APN), Quality of Service (QoS) requirement, charging rules, type of subscription, type of terminal, user location (e.g. certain geographical areas might be considered less secure from a telecommunication point of view) .
  • visited operator identity e.g. certain geographical areas might be considered less secure from a telecommunication point of view
  • Figure 3 a is a flow diagram illustrating the delegation decision process taken by the authentication server within the home domain, namely evaluate input criteria (step 1), set authentication delegation conditions (step 2), and send authentication delegation response to visited domain (step 3).
  • Figure 3b is a flow diagram illustrating a delegation revocation decision process taken by the authentication server.
  • the authentication server evaluates the criteria to make the revocation decision (step 4), and sends an authentication revocation to the visited domain (step 5).
  • the access request is typically carried by a DIAMETER Request message sent between a AAA-client (possibly via AAA-proxy) in the visited domain and a HSS/AAA server within the home domain.
  • the home authentication server responds either by sending a DIAMETER Answer message containing a DIAMETER AVP (attribute-value-pair) with authentication data to be used by the visited domain, or by sending to the visited domain a special "NACK" message, informing the visited domain to allow the authentication procedure to proceed between the client and the home domain.
  • the visited domain either just relays authentication related authentication signalling (e.g.
  • the AKA authentication vector i.e. (RAND, XRES, AUTN, Ck, Ik) contains all of the information that the visited domain needs to assume the role of authenticator.
  • DIAMETER supports server-initiated requests that can be used for this purpose.
  • the home domain operator can also delegate authentication to the visited domain for a limited time or a limited number of re- authentications only, after which the visited domain must relay authentication signalling back to the home domain (at least until the home domain once again delegates responsibility for authentication to the visited domain).
  • the home domain operator can also decide that every N ⁇ authentication should be relayed by the visited domain back to the home domain. Any one of these approaches creates "check points" at which the home domain can choose to continue with or change the applied authentication policy.
  • DIAMETER generally requires the maintenance of session state information (e.g. for the purpose of accounting), this state information can be extended with information enabling the visited domain to decide when to perform authentication locally and when to defer it to the home domain.
  • the procedure described here does offer the visited domain the opportunity to refuse to "erase” authentication data it already has, and to continue to take the authenticator role even if the home domain revokes the delegated rights.
  • the visited network cannot be guaranteed that it will be paid for used services.
  • the client itself may elect not to continue.
  • FIG 4 shows authentication related signalling for the case where the home domain takes the decision not to delegate responsibility for authentication to the visited domain.
  • This may be implemented using the DIAMETER AAA protocol.
  • the initial request Req(IDc) is supplemented with the IDv at the AAA-visited server, and forwarded to the HSS/AAA home server (possibly via a AAA proxy).
  • the latter determines (based upon available information and policies) that no delegation is permitted, and returns a NACK to the AAA-visited server.
  • the challenge response process is then conducted between the HSS/AAA home authenticator and the client.
  • Figure 5 shows signalling associated with the case where the home domain decides to delegate responsibility for authentication for a limited period or number of tries.
  • the AAA-home server After receiving the request, the AAA-home server provides authentication data to the AAA- visited authenticator. The latter stores the received data and proceeds to authenticate the client using the received data and a challenge-response procedure. One or more re- authentications can be performed by the visited domain before it must revert to the home domain for a refresh (or denial) of the delegation.
  • FIG. 6 shows signalling associated with the case where the home domain delegates authentication responsibility to the visited domain, but subsequently decides to revoke that permission.
  • the home domain does this by sending a Revoke (IDc) message to the AAA-visited authenticator. This will typically force the client to re-authenticate at the home domain.
  • IDc Revoke
  • a visited domain to which authentication responsibility has previously been delegated (or which is configured to provide authentication by default), can request that the home domain change the authentication domain. This may arise, for example, in the following circumstances: The visited domain wishes to reduce its authentication signalling load;
  • the visited domain wants to ensure that the home domain is continuously aware of the presence of its roaming user in the visited domain; or
  • the client requests an APN or QoS that the visited domain deems requires authentication in the home domain.
  • a signalling chart illustrating this process is shown in Figure 7.
  • FIG 8 shows a signalling chart illustrating the case where the home domain has determined that it must be responsible for client authentication, and the visited domain subsequently requests that responsibility for authorisation be transferred from the home domain to the visited domain.
  • This situation may arise, for example, when a client requests an APN local to the visited domain or local breakout takes place, and in which cases the visited domain prefers to authenticate the client itself.
  • this illustrates a signalling flow in the case where the client (UE) is attached to a future 3GPP Long Term Evolution (LTE) based access domain (considering here OFDM, Rel8).
  • LTE Long Term Evolution
  • DIAMETER AAA will be deployed between the home and visited domains.
  • the initial user authentication is performed using AKA, with the authenticator being implemented at the MME within the visited domain (the "VPLMN").
  • the HSS within the home domain (the "HPLMN") provides the required authentication vector to the MME upon receipt of the request.
  • the session key included in the authentication vector is passed by the MME to the eNB via the UPE.
  • the flow illustrates the case where the HPLMN subsequently decides to revoke the authentication permission previously given the VPLMN, whereupon the MME sends an AUTH REQUEST to the client.
  • the challenge and response procedure is then conducted between the client and the HPLMN and, assuming this is successful, the session keys are sent from the home HPLMN to the VPLMN.
  • FIG 10 shows a signalling flow in the case where the client is attached to an I-WLAN access domain.
  • authentication would be performed within the home domain.
  • the home domain elects to delegate authentication responsibility to the access domain.
  • the IASA in the VPLMN which acts as authenticator after delegation.
  • this role could be performed by the Access Node (AN) although this approach would be less secure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Communication Control (AREA)
  • Computer And Data Communications (AREA)

Abstract

A server for managing the authentication of clients that are subscribers of a home domain within which the server is located, the server comprising means for determining whether a client that is attached to a visited domain is to be authenticated by the home domain or by said visited domain, and for signalling the result to said visited domain.

Description

METHOD AND APPARATUS FOR DETERMINING AN AUTHENTICATION
PROCEDURE
Technical Field
The present invention relates to a method and apparatus for determining an authentication procedure to be applied to a client accessing or attempting to access services via a visited domain whilst having a service agreement with a home domain.
Background
In the case of cellular telephone networks, a standard operating model has evolved over the years to enable users to roam outside of the home domain to which they subscribe, into so-called visited domains. This model allows users to roam in visited (e.g. foreign) domains whilst ensuring that the visited domain operators can recover incurred costs from the home domain. At the same time, the home domain operator can trust the visited domain operators to recharge only costs that are actually incurred. A key component of this model is a mechanism for allowing a visited domain to authenticate a user as a subscriber of the home domain. The visited domain needs assistance from the home domain to implement this mechanism. The typical approach is to provide within the home domain an "authentication server" which maintains long-term authentication credentials for a user and is the "root of trust" for the user. An "authenticator" is provided within the visited domain and performs the actual authentication by communication with the authentication server and the user (or "client").
3GPP TS 33.102 describes a security architecture for the Universal Mobile Telecommunications Service (UMTS) networks which is, as far as possible, compatible with the pre-existing GSM networks. TS 33.102 considers in particular the Authentication and Key Agreement (AKA) security protocol which is a mechanism for performing authentication and session key distribution. AKA is a challenge-response based mechanism that uses symmetric cryptography. Within a client terminal, AKA is typically run in a UMTS Subscriber Identity Module (USIM) which resides on a smart card like device. The smart card possesses a secret K which is also known to an Authentication Centre (AuC) located within the user's home domain. When a user attempts to register with a visited domain, the AKA mechanism is run between the client terminal and the visited domain, involving the home domain as a "back-end". This process involves the visited domain being provided, by the home network, with an authentication vector comprising a challenge and an expected result. The challenge is forwarded by the visited domain to the client terminal, which generates a challenge response (within the USIM) and returns this to the visited domain. If the challenge response matches the expected result, the visited domain authorises the client terminal to use its access services. AKA also allows the client terminal to verify that its home domain has indeed been involved in the signalling process, which in turn allows the terminal to authenticate the visited domain.
The AKA authentication vector is good for only one access attempt by the client. If the client terminal subsequently deregisters from the visited domain (e.g. the terminal is powered down), a new authentication vector is required for any further registration. TS 33.102 allows for the home domain to provide to the visited domain a set of authentication vectors at first registration, enabling the visited domain to perform multiple authentications for a given client terminal without having to contact the home domain for each individual registration.
Authentication in 2G networks is handled using a challenge and response approach similar to AKA.
The 2G and 3 G approaches to security enable (local) mobility and hand-overs since the home domain does not need to be involved in sub-sequent re-authentications. For example, in the case of a terminal transferring to a 2G access from a 3 G access (where both accesses belong to the same operator), a user can be implicitly authenticated/authorised in the new access by reuse of the previously used session keys.
However, delegating responsibility for authentication to the visited network may not always be satisfactory for the home domain, as the home domain must "blindly" trust that the visited domain is not making a false claim about the client's presence in the visited domain, or that the client is receiving the paid for services, etc. Whilst this trust model has worked well for established network operators, it may not apply to future network configurations as will be discussed below.
In the case of the Internet, the IETF has created under the heading Authentication, Authorization, and Accounting (AAA), a set of protocols for achieving authentication of a user within a visited domain. The currently implemented protocols include RADIUS and DIAMETER. A typical Internet scenario might involve a user attempting to use a WLAN hotspot (located for example in an Internet cafe or airport terminal) as an access network, when the user is a subscriber of an Internet Service Provider (ISP) broadband network. In the IETF model, authentication is done in the home domain, i.e. the authenticator and authentication server are both in the home domain. While this may be satisfactory to the home domain, it leads to sub-optimal performance due to the signalling overhead and impairs smooth hand-over/mobility within the visited domain.
It is noted that where the access domain is a wireless network, a wireless terminal may communicate with a AAA client/authenticator within the access domain, with the AAA client communicating with a AAA server in the home domain. End-to-end authentication signalling may be conveyed using the Extensible Authentication Protocol (EAP) which is an authentication framework rather than an actual authentication method. One of the roles of EAP is to implement an authentication method beween endpoints. The EAP-AKA method is one example of such an authentication method. In this approach therefore, AKA data will be contained within EAP messages which are in turn contained within DIAMETER messages (for the AAA client to AAA server leg). [UMTS AKA as described above is a 3GPP-specific protocol which does not use AAA and EAP frameworks and should not be confused with EAP-AKA, although of course the actual AKA mechanism is common to both.]
This current protocol "architecture" is illustrated in Figure 1 , where the wireless access network is a 802.11 (WLAN) network and the AKA endpoint is in the home domain. The AAA client/authenticator within the wireless network understands the EAP signalling, and converts EAP in the AAA signalling to EAP over LAN. The AAA client/authenticator is transparent to AKA. It is noted that one or more AAA proxies may be present between the visited and home networks. Communication standards are evolving to provide for the integration of different heterogeneous access domains into one single logical network. This will result in 3GPP -based access domains (e.g. GPRS, UMTS, LTE) and non-3GPP based access domains (e.g. Wimax, WLAN, Fixed-Line broadband, etc) merging to form one logical network (see for example 3GPP 3GPP TR 23.882). A home domain will likely ustilise AAA (e.g. DIAMETER) and EAP, and multiple EAP-methods (such as EAP AKA, EAP SIM, EAP TLS, etc) to communicate with the different access domains and terminals. It is however inevitable that a given home domain will place different levels of trust on different access domains. For example, a high level of trust might be placed on a 3 G access domain, whilst a very low level of trust may be placed on an Internet cafe WLAN.
Summary
According to a first aspect of the present invention there is provided a server for managing the authentication of clients that are subscribers of a home domain within which the server is located, the server comprising means for determining whether a client that is attached to a visited domain is to be authenticated by the home domain or by said visited domain, and for signalling the result to said visited domain.
Embodiments of the present invention introduce a dynamic flexibility into the authentication process. It is now possible for the home domain to determine where the authentication is to take place based upon static properties such as client subscription, and on changing properties such as visited network identity. This results in a service architecture which optimises signalling routes when appropriate whilst maintaining financial security.
The server may comprise a memory for storing authentication data for said clients. The server is arranged, in the event that it determines that the visited network is to be responsible for authentication, to generate session data and to send this to said visited network. Where the visited network is a 3 G network, this data may comprise an authentication vector. In certain embodiments of the invention, the server comprises an interface for communicating with visited domains, first processing means for receiving via said interface a registration request sent by a visited domain in respect of one of said clients, and second processing means for determining whether the request is to be authenticated by the home domain or by the visited domain. The second processing means is arranged, in the former case, to authenticate the request and signal the result to the visited domain via said interface, and, in the latter case, to signal to the visited domain via said interface that the visited domain is to be responsible for authenticating the request.
Said first processing means may be further arranged to receive via said interface a request from a visited network to transfer the authentication decision from one domain to another, in the case of a previously authenticated client. Said second processing means is arranged to make a further determination and to notify the visited network accordingly.
The server may comprise means for determining that a previous decision to delegate an authentication procedure to the visited domain is to be revoked, and for signalling that decision to the visited domain.
It is noted that the authentication procedure which may be delegated to the visited domain may be a second level procedure. A first level procedure may be carried out by the home domain based, for example, upon terminal and/or user identity, prior to conducting the second level procedure at the home domain or, if delegated, at the visited domain.
According to a second aspect of the present invention there is provided a server for authenticating clients attached to the domain within which the server is located, where the clients are subscribers of different, home domains, the server being arranged to communicate with a home domain to receive instructions therefrom as to whether a client is to be authenticate by its home domain or by the visited domain and, in the latter case, to carry out the authentication of the client based upon information received from the home domain.
According to a third aspect of the present invention there is provided a method of authenticating a client attached to a visited domain, where the client is a subscriber of a home domain, the method comprising: sending an authentication request from the visited domain to the home domain in respect of said client; in the home domain, determining whether the client is to be authenticated by the home domain or by said visited domain; in the event that the client is to be authenticated by the home domain, carrying out said authentication in the home domain and signalling the result to the visited domain; and in the event that the client is to be authenticated by the visited domain, sending authentication data from the home domain to the visited domain, and using said data in the visited domain to authenticate the client.
In the case of the AAA protocol, said authentication request may be a DIAMETER Request. In the case that the authentication is to be carried out by the home domain, this is signalled to the visited domain by sending a NACK. The result of the authentication is subsequently signalled to the visited domain by sending an ACCEPT/REJECT message. Authentication involves the exchange of a challenge and response between the home domain and the client. In the case where the authentication is to be carried out by the visited network, this is signalled to the visited domain by sending an ACK message, together with authentication data. A challenge and response exchange is conducted between the client and the visited domain.
Brief Description of the Drawings
Figure 1 illustrates various protocol layers involved in an authentication procedure for a wireless terminal attached to a visited network;
Figure 2 illustrates schematically a communications system architecture comprising visited and home domains;
Figures 3a and 3b are flow diagrams illustrating authentication decision processes carried out with an authentication server of a home domain;
Figure 4 shows authentication related signalling for the case where a home domain takes the decision not to delegate responsibility for authentication to a visited domain;
Figure 5 shows signalling associated with the case where a home domain decides to delegate responsibility for authentication to a visited domain for a limited period or number of tries;
Figure 6 shows signalling associated with the delegation of authentication responsibility to a visited domain, with a subsequent decision to revoke that permission;
Figure 7 is a signalling chart illustrating a case where a visited domain elects to request a transfer of authentication responsibility back to a home domain;
Figure 8 is a signalling chart illustrating a case where a visited domain elects to request a transfer of authentication responsibility to it, from the home domain;
Figure 9 illustrates a signalling flow in the case where a client is attached to a future
3GPP Long Term Evolution (LTE) based access domain; and Figure 10 shows a signalling flow in the case where a client is attached to an I-WLAN access domain.
Detailed Description
There is illustrated in Figure 2 a generic visited domain/home domain architecture which allows for roaming of subscribers (referred to below as "clients") of the home domain into the visited domain. An authentication server 1 is located within the home domain 2 and maintains long-term authentication credentials of the home domain's clients. The authentication server may also act as authenticator for clients seeking to register with visited domains including the illustrated domain 3. A separate authenticator 4 is located within the visited domain 3. Figure 2 illustrates a client 5 attached to the visited domain 3.
The authentication server 1 receives access requests from a visited domain via an interface 6, whereupon processing means 7 within the authentication server makes decisions as to whether authentications are to be performed within the home domain or can be delegated to the visited domain. The server may also determine that authentications are shared between the home and visited domains. For example, it may determine that only the first authentication is to be performed by the home domain and subsequent authentications are delegated to the visited domain, or that only every tenth authentication is to be performed by the home domain, etc. The server makes these decisions based upon certain available information. This information may include, for example, one or more of the following; visited operator identity, access network type, user-id, type of network security being used in the access network of the visited domain, type of user authentication being carried out, selected Access Point Name (APN), Quality of Service (QoS) requirement, charging rules, type of subscription, type of terminal, user location (e.g. certain geographical areas might be considered less secure from a telecommunication point of view) .
Figure 3 a is a flow diagram illustrating the delegation decision process taken by the authentication server within the home domain, namely evaluate input criteria (step 1), set authentication delegation conditions (step 2), and send authentication delegation response to visited domain (step 3). Figure 3b is a flow diagram illustrating a delegation revocation decision process taken by the authentication server. On the basis of newly received input criteria (e.g. received from the visited domain), the authentication server evaluates the criteria to make the revocation decision (step 4), and sends an authentication revocation to the visited domain (step 5).
In the case that the DIAMETER AAA protocol (IETF RFC 3588) is used between the visited and home domains, the access request is typically carried by a DIAMETER Request message sent between a AAA-client (possibly via AAA-proxy) in the visited domain and a HSS/AAA server within the home domain. The home authentication server responds either by sending a DIAMETER Answer message containing a DIAMETER AVP (attribute-value-pair) with authentication data to be used by the visited domain, or by sending to the visited domain a special "NACK" message, informing the visited domain to allow the authentication procedure to proceed between the client and the home domain. Depending upon the response that it receives, the visited domain either just relays authentication related authentication signalling (e.g. EAP AKA signalling), or uses the authentication data received from the home domain to initiate some or all subsequent authentication signalling with the client. It is noted that in the case of AKA authentication method, the AKA authentication vector, i.e. (RAND, XRES, AUTN, Ck, Ik) contains all of the information that the visited domain needs to assume the role of authenticator.
If the decision was to delegate authentication to the visited domain, the home domain still has the option to "revoke" the delegation, in which case any subsequent (re-) authentication takes place in the home domain. DIAMETER supports server-initiated requests that can be used for this purpose. The home domain operator can also delegate authentication to the visited domain for a limited time or a limited number of re- authentications only, after which the visited domain must relay authentication signalling back to the home domain (at least until the home domain once again delegates responsibility for authentication to the visited domain). The home domain operator can also decide that every Nώ authentication should be relayed by the visited domain back to the home domain. Any one of these approaches creates "check points" at which the home domain can choose to continue with or change the applied authentication policy. As DIAMETER generally requires the maintenance of session state information (e.g. for the purpose of accounting), this state information can be extended with information enabling the visited domain to decide when to perform authentication locally and when to defer it to the home domain.
It will be appreciated that the procedure described here does offer the visited domain the opportunity to refuse to "erase" authentication data it already has, and to continue to take the authenticator role even if the home domain revokes the delegated rights. However, in such a circumstance the visited network cannot be guaranteed that it will be paid for used services. In any case, the client itself may elect not to continue.
Figure 4 shows authentication related signalling for the case where the home domain takes the decision not to delegate responsibility for authentication to the visited domain. This may be implemented using the DIAMETER AAA protocol. The initial request Req(IDc) is supplemented with the IDv at the AAA-visited server, and forwarded to the HSS/AAA home server (possibly via a AAA proxy). The latter determines (based upon available information and policies) that no delegation is permitted, and returns a NACK to the AAA-visited server. The challenge response process is then conducted between the HSS/AAA home authenticator and the client. Figure 5 shows signalling associated with the case where the home domain decides to delegate responsibility for authentication for a limited period or number of tries. After receiving the request, the AAA-home server provides authentication data to the AAA- visited authenticator. The latter stores the received data and proceeds to authenticate the client using the received data and a challenge-response procedure. One or more re- authentications can be performed by the visited domain before it must revert to the home domain for a refresh (or denial) of the delegation.
Figure 6 shows signalling associated with the case where the home domain delegates authentication responsibility to the visited domain, but subsequently decides to revoke that permission. The home domain does this by sending a Revoke (IDc) message to the AAA-visited authenticator. This will typically force the client to re-authenticate at the home domain.
It is possible that in some cases a visited domain to which authentication responsibility has previously been delegated (or which is configured to provide authentication by default), can request that the home domain change the authentication domain. This may arise, for example, in the following circumstances: The visited domain wishes to reduce its authentication signalling load;
The visited domain wants to ensure that the home domain is continuously aware of the presence of its roaming user in the visited domain; or The client requests an APN or QoS that the visited domain deems requires authentication in the home domain. A signalling chart illustrating this process is shown in Figure 7.
Figure 8 shows a signalling chart illustrating the case where the home domain has determined that it must be responsible for client authentication, and the visited domain subsequently requests that responsibility for authorisation be transferred from the home domain to the visited domain. This situation may arise, for example, when a client requests an APN local to the visited domain or local breakout takes place, and in which cases the visited domain prefers to authenticate the client itself. Referring now to Figure 9, this illustrates a signalling flow in the case where the client (UE) is attached to a future 3GPP Long Term Evolution (LTE) based access domain (considering here OFDM, Rel8). Typically, DIAMETER AAA will be deployed between the home and visited domains. Here, the initial user authentication is performed using AKA, with the authenticator being implemented at the MME within the visited domain (the "VPLMN"). The HSS within the home domain (the "HPLMN") provides the required authentication vector to the MME upon receipt of the request. The session key included in the authentication vector is passed by the MME to the eNB via the UPE. The flow illustrates the case where the HPLMN subsequently decides to revoke the authentication permission previously given the VPLMN, whereupon the MME sends an AUTH REQUEST to the client. The challenge and response procedure is then conducted between the client and the HPLMN and, assuming this is successful, the session keys are sent from the home HPLMN to the VPLMN.
Figure 10 shows a signalling flow in the case where the client is attached to an I-WLAN access domain. Typically, in the case of a WLAN access domain, authentication would be performed within the home domain. However, in this example, upon receipt of the EAP RESPONSE(IMSI), the home domain elects to delegate authentication responsibility to the access domain. In the illustrated case, it is the IASA in the VPLMN which acts as authenticator after delegation. In principle however, this role could be performed by the Access Node (AN) although this approach would be less secure.
It will be appreciated by the person of skill in the art that various modifications may be made to the above described embodiments without departing from the scope of the present invention.

Claims

Claims
1. A server for managing the authentication of clients that are subscribers of a home domain within which the server is located, the server comprising means for determining whether a client that is attached to a visited domain is to be authenticated by the home domain or by said visited domain, and for signalling the result to said visited domain.
2. A server according to claim 1 and comprising a memory for storing authentication data for said clients.
3. A server according to claim 1 or 2 and being arranged, in the event that it determines that the visited network is to be responsible for authentication, to generate session data and to send this to said visited network.
4. A server according to claim 3, wherein said session data is an authentication vector.
5. A server according to any one of the preceding claims and comprising an interface for communicating with visited domains, first processing means for receiving via said interface a registration request sent by a visited domain in respect of one of said clients, and second processing means for determining whether the request is to be authenticated by the home domain or by the visited domain, the second processing means being arranged, in the former case, to authenticate the request and signal the result to the visited domain via said interface, and, in the latter case, to signal to the visited domain via said interface that the visited domain is to be responsible for authenticating the request.
6. A server according to claim 5, wherein said first processing means is arranged to receive via said interface a request from a visited network to transfer the authentication decision from one domain to another, in the case of a previously authenticated client, and said second processing means is arranged to make a further determination and to notify the visited network accordingly.
7. A server according to any one of the preceding claims and being arranged to determine that a previous decision to delegate an authentication procedure to the visited domain is to be revoked, and to signal that decision to the visited domain.
8. A server according to any one of the preceding claims and being arranged to communicate with said visited domain using a AAA protocol.
9. A server according to claim 8, wherein said AAA protocol is RADIUS or DIAMETER.
10. A server according to any one of the preceding claims and being arranged to communicate with said client using the Extensible Authentication Protocol.
11. A server according to claim 10, wherein the authentication method is EAP- AKA.
12. A server according to any one of claims 1 to 9 and being arranged to communicate with said client using UMTS AKA.
13. A server for authenticating clients attached to the domain within which the server is located, where the clients are subscribers of different, home domains, the server being arranged to communicate with a home domain to receive instructions therefrom as to whether a client is to be authenticate by its home domain or by the visited domain and, in the latter case, to carry out the authentication of the client based upon information received from the home domain.
14. A server according to claim 13, wherein communications between the server and a home domain are governed by a AAA protocol.
15. A method of authenticating a client attached to a visited domain, where the client is a subscriber of a home domain, the method comprising: sending an authentication request from the visited domain to the home domain in respect of said client; in the home domain, determining whether the client is to be authenticated by the home domain or by said visited domain; in the event that the client is to be authenticated by the home domain, carrying out said authentication in the home domain and signalling the result to the visited domain; and in the event that the client is to be authenticated by the visited domain, sending authentication data from the home domain to the visited domain, and using said data in the visited domain to authenticate the client.
16. A method according to claim 15, wherein the home domain and the visited domain communicate using a AAA protocol, and the home domain and the client communicate using the Extensible Authentication Protocol.
17. A method according to claim 16, wherein the EAP-AKA method is used to authenticate the client.
18. A method according to claim 15, wherein the UMTS AKA method is used to authenticate the client.
19. A method according to any one of claims 15 to 18, wherein said step of determining whether the client is to be authenticated by the home domain or by the visited domain utilises at least one of: visited operator identity,
- access network type,
- user-id, type of network security being used in the access network of the visited domain, - type of user authentication being carried out, selected Access Point Name (APN), Quality of Service (QoS) requirement, charging rules, type of subscription, type of terminal, user location whether or not it is an initial authentication.
PCT/EP2007/050097 2007-01-04 2007-01-04 Method and apparatus for determining an authentication procedure WO2008080637A1 (en)

Priority Applications (7)

Application Number Priority Date Filing Date Title
EP07703657A EP2103077B1 (en) 2007-01-04 2007-01-04 Method and apparatus for determining an authentication procedure
CN2007800492254A CN101573998B (en) 2007-01-04 2007-01-04 Method and apparatus for determining an authentication procedure
AT07703657T ATE501583T1 (en) 2007-01-04 2007-01-04 METHOD AND DEVICE FOR DETERMINING AN AUTHENTICATION PROCEDURE
ES07703657T ES2362444T3 (en) 2007-01-04 2007-01-04 METHOD AND APPLIANCE TO DETERMINE AN AUTHENTICATION PROCEDURE.
DE602007013101T DE602007013101D1 (en) 2007-01-04 2007-01-04 METHOD AND DEVICE FOR DETERMINING AN AUTHENTICATION PROCEDURE
US12/521,717 US8332912B2 (en) 2007-01-04 2007-01-04 Method and apparatus for determining an authentication procedure
PCT/EP2007/050097 WO2008080637A1 (en) 2007-01-04 2007-01-04 Method and apparatus for determining an authentication procedure

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2007/050097 WO2008080637A1 (en) 2007-01-04 2007-01-04 Method and apparatus for determining an authentication procedure

Publications (1)

Publication Number Publication Date
WO2008080637A1 true WO2008080637A1 (en) 2008-07-10

Family

ID=37845263

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2007/050097 WO2008080637A1 (en) 2007-01-04 2007-01-04 Method and apparatus for determining an authentication procedure

Country Status (7)

Country Link
US (1) US8332912B2 (en)
EP (1) EP2103077B1 (en)
CN (1) CN101573998B (en)
AT (1) ATE501583T1 (en)
DE (1) DE602007013101D1 (en)
ES (1) ES2362444T3 (en)
WO (1) WO2008080637A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101873311A (en) * 2010-05-26 2010-10-27 上海动量软件技术有限公司 Method for implementing configuration clause processing of policy-based network in cloud component software system
EP3171573A1 (en) * 2012-08-30 2017-05-24 Aerohive Networks, Inc. Internetwork authentication
US9986432B2 (en) 2013-12-23 2018-05-29 Koninklijke Kpn N.V. Method and system for providing security from a radio access network
US10659960B2 (en) 2013-12-23 2020-05-19 Koninklijke Kpn N.V. Method and system for providing security from a radio access network

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100488170C (en) * 2006-01-26 2009-05-13 中兴通讯股份有限公司 Update method of route trigger area in the packet wireless system
CN101399767B (en) * 2007-09-29 2011-04-20 华为技术有限公司 Method, system and apparatus for security capability negotiation during terminal moving
KR101556906B1 (en) * 2008-12-29 2015-10-06 삼성전자주식회사 Method for handover by pre-authenticating between heterogeneous wireless communication systems
US8645695B2 (en) * 2009-10-07 2014-02-04 Blackberry Limited System and method for managing security key architecture in multiple security contexts of a network environment
US9479509B2 (en) * 2009-11-06 2016-10-25 Red Hat, Inc. Unified system for authentication and authorization
CN101765082A (en) * 2009-12-28 2010-06-30 中兴通讯股份有限公司 Method for distinguishing authentication charging point according to regions and system
US8929862B2 (en) 2011-07-08 2015-01-06 Motorola Solutions, Inc. Method and apparatus for attaching a wireless device to a foreign 3GPP wireless domain using alternative authentication mechanisms
US8699709B2 (en) * 2011-07-08 2014-04-15 Motorola Solutions, Inc. Methods for obtaining authentication credentials for attaching a wireless device to a foreign 3GPP wireless domain
US9092607B2 (en) * 2012-10-01 2015-07-28 Oracle International Corporation Dynamic flow control for access managers
US20140093071A1 (en) * 2012-10-02 2014-04-03 Telefonaktiebolaget L M Ericsson (Publ) Support of multiple pdn connections over a trusted wlan access
US9762679B2 (en) * 2013-03-15 2017-09-12 Aerohive Networks, Inc. Providing stateless network services
US9769056B2 (en) 2013-03-15 2017-09-19 Aerohive Networks, Inc. Gateway using multicast to unicast conversion
EP2835995A1 (en) * 2013-08-09 2015-02-11 Giesecke & Devrient GmbH Methods and devices for performing a mobile network switch
US9992619B2 (en) 2014-08-12 2018-06-05 Aerohive Networks, Inc. Network device based proximity beacon locating
JP6715867B2 (en) 2015-06-05 2020-07-01 コンヴィーダ ワイヤレス, エルエルシー Unified authentication for integrated small cell and WIFI networks
FR3039954A1 (en) * 2015-08-05 2017-02-10 Orange METHOD AND DEVICE FOR IDENTIFYING VISIT AND HOME AUTHENTICATION SERVERS
CN107820234B (en) * 2016-09-14 2021-02-23 华为技术有限公司 Network roaming protection method, related equipment and system
JP6917469B2 (en) * 2017-10-10 2021-08-11 株式会社Nttドコモ Security establishment method, terminal equipment and network equipment
BR112020026940A2 (en) * 2018-06-30 2021-03-30 Nokia Solutions And Networks Oy HANDLING FAILURE TO ACCESS NON 3GPP TO 5GCN NOT BEING ALLOWED
US11863348B2 (en) * 2021-07-06 2024-01-02 Cisco Technology, Inc. Message handling between domains
CN116760610B (en) * 2023-06-30 2024-05-07 中国科学院空天信息创新研究院 User cross-domain authentication system, method, equipment and medium under network limited condition

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002069605A2 (en) 2001-02-21 2002-09-06 Nokia Corporation Method and system for delegation of security procedures to a visited domain
WO2003065640A1 (en) 2002-01-29 2003-08-07 Plumtree Software, Inc. Single sign-on over the internet using public-key cryptography

Family Cites Families (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19635581C1 (en) * 1996-09-02 1997-10-23 Siemens Ag Cellular mobile communications network subscriber location method
US7900242B2 (en) * 2001-07-12 2011-03-01 Nokia Corporation Modular authentication and authorization scheme for internet protocol
US6993596B2 (en) * 2001-12-19 2006-01-31 International Business Machines Corporation System and method for user enrollment in an e-community
JP4065850B2 (en) * 2002-01-24 2008-03-26 シーメンス アクチエンゲゼルシヤフト Protecting data traffic in a mobile network environment
US7882346B2 (en) * 2002-10-15 2011-02-01 Qualcomm Incorporated Method and apparatus for providing authentication, authorization and accounting to roaming nodes
US20040166874A1 (en) * 2002-11-14 2004-08-26 Nadarajah Asokan Location related information in mobile communication system
US7870389B1 (en) * 2002-12-24 2011-01-11 Cisco Technology, Inc. Methods and apparatus for authenticating mobility entities using kerberos
US20040131023A1 (en) * 2003-01-03 2004-07-08 Otso Auterinen Communications system and method
AU2003202182A1 (en) * 2003-01-10 2004-08-10 Telefonaktiebolaget Lm Ericsson (Publ) Single sign-on for users of a packet radio network roaming in a multinational operator network
US7774828B2 (en) * 2003-03-31 2010-08-10 Alcatel-Lucent Usa Inc. Methods for common authentication and authorization across independent networks
US7506370B2 (en) * 2003-05-02 2009-03-17 Alcatel-Lucent Usa Inc. Mobile security architecture
GB0311921D0 (en) * 2003-05-23 2003-06-25 Ericsson Telefon Ab L M Mobile security
US7934094B2 (en) * 2003-06-18 2011-04-26 Telefonaktiebolaget Lm Ericsson (Publ) Method, system and apparatus to support mobile IP version 6 services
CA2451313C (en) * 2003-11-28 2011-10-18 Nicolas Nedkov Systems and methods for controlling access to a public data network from a visited access provider
BRPI0513195A (en) * 2004-07-09 2008-04-29 Matsushita Electric Ind Co Ltd systems for administering user authentication and authorization, and for user support, methods for administering user authentication and authorization, for accessing services from multiple networks, for the authentication controller to process an authentication request message, to select the combination of authentication controllers. search result authentication, authenticating a user, and finding the way to a domain having business relationship with the home domain, for the authorization controller to process the service authorization request message, and perform service authorization for a domain controller. authentication and authorization perform authentication and service authorization, to protect the user token, and for the user's home domain access control authority to provide the authentication controller with a limited user signature profile information, to achieve authentication and authorize fast access, and to achieve single registration to access multiple networks, and formats for subscription capability information, for a user symbol, for a domain having business relationship with a user's home domain to request authentication and authorization assertion , and for a user terminal to indicate their credentials for accessing multiple networks across multiple administrative domains.
US7639802B2 (en) * 2004-09-27 2009-12-29 Cisco Technology, Inc. Methods and apparatus for bootstrapping Mobile-Foreign and Foreign-Home authentication keys in Mobile IP
US7505482B2 (en) * 2004-11-15 2009-03-17 At&T Intellectual Property I, L.P. Application services infrastructure for next generation networks
US8230073B1 (en) * 2005-01-21 2012-07-24 Apple Inc. Service templates for an IP multimedia subsystem
CN1835621B (en) * 2005-03-14 2010-05-12 上海贝尔阿尔卡特股份有限公司 Method and device for security user's layer mobile positioning in radio network
US7881468B2 (en) * 2005-04-08 2011-02-01 Telefonaktiebolaget L M Ericsson (Publ) Secret authentication key setup in mobile IPv6
US20070100981A1 (en) * 2005-04-08 2007-05-03 Maria Adamczyk Application services infrastructure for next generation networks including one or more IP multimedia subsystem elements and methods of providing the same
CN1874217B (en) * 2005-09-27 2010-12-08 华为技术有限公司 Method for determining route
US7626963B2 (en) * 2005-10-25 2009-12-01 Cisco Technology, Inc. EAP/SIM authentication for mobile IP to leverage GSM/SIM authentication infrastructure
DE102006004868B4 (en) * 2005-11-04 2010-06-02 Siemens Ag Method and server for providing a mobility key
AU2006338680B2 (en) * 2006-02-23 2009-11-19 Togewa Holding Ag Switching system and corresponding method for unicast or multicast end-to-end data and/or multimedia stream transmissions between network nodes
JP5144679B2 (en) * 2006-12-19 2013-02-13 テレフオンアクチーボラゲット エル エム エリクソン(パブル) User access management in communication networks
US8467290B2 (en) * 2006-12-26 2013-06-18 Ciena Corporation Methods and systems for distributed authentication and caching for internet protocol multimedia subsystem and other session initiation protocol systems
WO2008080420A1 (en) * 2006-12-28 2008-07-10 Telefonaktiebolaget Lm Ericsson (Publ) Mobile ip proxy

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002069605A2 (en) 2001-02-21 2002-09-06 Nokia Corporation Method and system for delegation of security procedures to a visited domain
WO2003065640A1 (en) 2002-01-29 2003-08-07 Plumtree Software, Inc. Single sign-on over the internet using public-key cryptography

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"Symmetric security procedures for H.323 mobility in H.510", ITU-T STANDARD IN FORCE (I), INTERNATIONAL TELECOMMUNICATION UNION, GENEVA,, CH, no. H530 3/2, 29 March 2002 (2002-03-29), XP017401532 *
H. WANG ET AL.: "Research Issues for Fast Authentication in Inter-Domain Handover", WIRELESS WORLD RESEARCH FORUM, February 2004 (2004-02-01)
MIYOUNG KIM YOUNGSONG MUN SOONGSIL UNIVERSITY: "Localized Key Management for AAA in Mobile IPv6", IETF STANDARD-WORKING-DRAFT, INTERNET ENGINEERING TASK FORCE, IETF, CH, October 2002 (2002-10-01), XP015032831, ISSN: 0000-0004 *
STEFANO M FACCIN FRANCK LE NOKIA RESEARCH CENTER: "AAA Local Security Association (LSA): The Temporary Shared Key (TSK)", IETF STANDARD-WORKING-DRAFT, INTERNET ENGINEERING TASK FORCE, IETF, CH, July 2001 (2001-07-01), XP015031409, ISSN: 0000-0004 *
WIRELESS WORLD RESEARCH FORUM: "Research Issues for Fast Authentication in Inter-Domain Handover", WWRF, February 2004 (2004-02-01), XP002425724, Retrieved from the Internet <URL:http://www.docomoeurolabs.de/pdf/publications/STL_research_issues_fast_authentication.pdf> [retrieved on 20070320] *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101873311A (en) * 2010-05-26 2010-10-27 上海动量软件技术有限公司 Method for implementing configuration clause processing of policy-based network in cloud component software system
EP3171573A1 (en) * 2012-08-30 2017-05-24 Aerohive Networks, Inc. Internetwork authentication
US9986432B2 (en) 2013-12-23 2018-05-29 Koninklijke Kpn N.V. Method and system for providing security from a radio access network
US10659960B2 (en) 2013-12-23 2020-05-19 Koninklijke Kpn N.V. Method and system for providing security from a radio access network

Also Published As

Publication number Publication date
US20110093919A1 (en) 2011-04-21
ATE501583T1 (en) 2011-03-15
EP2103077A1 (en) 2009-09-23
EP2103077B1 (en) 2011-03-09
ES2362444T3 (en) 2011-07-05
CN101573998A (en) 2009-11-04
DE602007013101D1 (en) 2011-04-21
US8332912B2 (en) 2012-12-11
CN101573998B (en) 2013-01-02

Similar Documents

Publication Publication Date Title
US8332912B2 (en) Method and apparatus for determining an authentication procedure
RU2745719C2 (en) Implementation of inter-network connection function using untrusted network
US10362617B2 (en) Method and system for a mobile communication device to access services
EP1693995B1 (en) A method for implementing access authentication of wlan user
AU2005236981B2 (en) Improved subscriber authentication for unlicensed mobile access signaling
US9503890B2 (en) Method and apparatus for delivering keying information
US7974234B2 (en) Method of authenticating a mobile network node in establishing a peer-to-peer secure context between a pair of communicating mobile network nodes
FI121560B (en) Authentication in a mobile communication system
EP3120515B1 (en) Improved end-to-end data protection
EP1770940B1 (en) Method and apparatus for establishing a communication between a mobile device and a network
US20080026724A1 (en) Method for wireless local area network user set-up session connection and authentication, authorization and accounting server
US20070143613A1 (en) Prioritized network access for wireless access networks
JP4687788B2 (en) Wireless access system and wireless access method
US20060128362A1 (en) UMTS-WLAN interworking system and authentication method therefor
KR101427447B1 (en) One-pass authentication mechanism and system for heterogeneous networks
US20150058938A1 (en) Integrated IP Tunnel and Authentication Protocol based on Expanded Proxy Mobile IP
EP2215803A1 (en) Network access authentication
US20070099597A1 (en) Authentication in a communication network
EP1657943A1 (en) A method for ensuring secure access to a telecommunication system comprising a local network and a PLMN
Kwon et al. Mobility Management for UMTS-WLAN Seamless Handover; Within the Framework of Subscriber Authentication
Said et al. A Comparative Study on Security implementation in EPS/LTE and WLAN/802.11
Salsano et al. Technical Report N: T2. 1_2005_PR_R02 WLAN/3G secure authentication based on SIP

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200780049225.4

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07703657

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2007703657

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 12521717

Country of ref document: US